BRAZIL
Since March 2018
Since July 2014
Since July 2014
Pillar Cross-border data policies |
Sub-pillar Ban to transfer and local processing requirement
Ordinance No. 9/2018 (Portaria No. 9, de 15 de março de 2018)
Complementary Standard 09/IN01/DSIC/GSI/PR (Norma Complementar 09/IN01/DSIC/GSI/PR)
Complementary Standard 09/IN01/DSIC/GSI/PR (Norma Complementar 09/IN01/DSIC/GSI/PR)
According to Section 5.3 of Ordinance No. 9/2018, data, metadata, information and knowledge produced or stored by Federal Public Administration (FPA) bodies and its backups shall reside in the Brazilian territory. In addition, Section 5.4 stipulates that the data, metadata, information and knowledge generated or held by a FPA entity or body relating to personal data (relating to intimacy, privacy, honour and image), information with restricted access under current legislation and preparatory documents may be processed in a cloud computing environment at the discretion of the FPA entity or body, taking into account current legislation, but must reside exclusively on Brazilian territory. According to the Complementary Standard 09/IN01/DSIC/GSI/PR, the bodies and entities of the FPA must comply with certain procedures, one of which can be found in Section 5.3, which states that all confidential information can only be stored in a data processing centre provided by the bodies and entities of the FPA, in accordance with the legislation in force. Confidential information is defined as information that is temporarily restricted from public access due to its indispensability for the security of society and the State.
Also, Section 5.2.2.1 of Ordinance No. 9/2018 states that processing of classified information in a cloud computing environment is prohibited. Classified information is defined as confidential information that has been assigned a degree of secrecy in accordance with specific classification procedures set out in applicable legislation.
Also, Section 5.2.2.1 of Ordinance No. 9/2018 states that processing of classified information in a cloud computing environment is prohibited. Classified information is defined as confidential information that has been assigned a degree of secrecy in accordance with specific classification procedures set out in applicable legislation.
Coverage Public sector
Sources
- https://antigo.mctic.gov.br/mctic/export/sites/institucional/legislacao/Arquivos/Anexo_Port_GSI_PR_9_2018_tratamento_Informacao_Nuvem.pdf
- https://web.archive.org/web/20240713082151/https://datasus.saude.gov.br/wp-content/uploads/2019/08/Norma-Complementar-n%C2%BA-09IN01DSICGSIPR.pdf
- https://www.lexology.com/library/detail.aspx?g=980b7a87-a569-499d-b631-88595d8c1927
- https://www.state.gov/reports/2023-investment-climate-statements/brazil/
- https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-flows-are-spreading-globally-what-they-cost/
- https://www.dataguidance.com/notes/brazil-data-transfers
- Show more...
BRAZIL
Since February 2021, entry into force in July 2021, last amended in January 2024
Since April 2021, entry into force in August 2021, last amended in January 2024
Since April 2021, entry into force in August 2021, last amended in January 2024
Pillar Cross-border data policies |
Sub-pillar Conditional flow regime
Resolution CMN No. 4,893 (Resolução CMN No. 4.893)
Resolution BCB No. 85 (Resolução BCB No. 85)
Resolution BCB No. 85 (Resolução BCB No. 85)
Art. 12 of Resolution CMN No. 4,893 and Art. 12 of Resolution BCB No. 85 state that institutions authorised to operate by the Central Bank of Brazil (Banco Central do Brasil, BCB) may contract cloud and data processing services in Brazil or abroad as long as they adopt corporate governance practices proportionate to the service hired and the risks to which they are exposed to, and verify the capability of the potential service to ensure compliance with the current legislation, institution's access to data, the confidentiality and integrity of data, adherence to certification patterns required by the institution, access to auditing reports, provision of information and management resources appropriate to the monitoring of services provided, identification of the institution's customer data and quality of access controls aimed at protecting customers data. In addition, Art. 15 of both Resolutions establishes that the companies should notify BCB of the countries where financial data is processed. Also, Art. 16 of both Resolutions provides that the contracting of data processing, data storage and cloud computing relevant services provided abroad must fulfil the following requisites:
- The existence of an agreement for the exchange of information between the BCB and the supervisory authorities of the countries where the services may be provided;
- The contracting institution must ensure that the provision of the services does not cause damage to its own functioning, neither do they deter the action of the BCB;
- The contracting institution must define, previously to the contracting, the countries and the regions in each country where the services can be provided and the data can be stored, processed and managed;
- The contracting institution must anticipate alternatives for business continuity, either in the case of the impossibility of continuing the contract or terminating it.
The BCB's prior approval must be obtained if the institution retains a cloud service provider in countries where there is no agreement to exchange information between the BCB and the competent authorities. The institutions must request such approval from the BCB at least 60 days before retaining the cloud services in question.
- The existence of an agreement for the exchange of information between the BCB and the supervisory authorities of the countries where the services may be provided;
- The contracting institution must ensure that the provision of the services does not cause damage to its own functioning, neither do they deter the action of the BCB;
- The contracting institution must define, previously to the contracting, the countries and the regions in each country where the services can be provided and the data can be stored, processed and managed;
- The contracting institution must anticipate alternatives for business continuity, either in the case of the impossibility of continuing the contract or terminating it.
The BCB's prior approval must be obtained if the institution retains a cloud service provider in countries where there is no agreement to exchange information between the BCB and the competent authorities. The institutions must request such approval from the BCB at least 60 days before retaining the cloud services in question.
Coverage Financial sector
Sources
- https://web.archive.org/web/20240826185044/https://www.bcb.gov.br/estabilidadefinanceira/exibenormativo?tipo=Resolu%C3%A7%C3%A3o%20CMN&numero=4893
- https://web.archive.org/web/20230304211840/https://www.bcb.gov.br/estabilidadefinanceira/exibenormativo?tipo=Resolu%C3%A7%C3%A3o%20BCB&numero=85
- https://www.dataguidance.com/notes/brazil-data-transfers
- https://www.dataguidance.com/opinion/brazil-data-protection-financial-sector
- https://read.oecd.org/10.1787/179f718a-en?format=pdf
- https://resourcehub.bakermckenzie.com/en/resources/cloud-compliance-center/latin-america/brazil
- Show more...
BRAZIL
Since August 2018, entry into force in September 2020
Pillar Cross-border data policies |
Sub-pillar Conditional flow regime
Law No. 13,709 of 14 August 2018 - General Personal Data Protection Law (Lei No. 13.709, de 14 de agosto de 2018 - Lei Geral de Proteção de Dados Pessoais)
The Personal Data Protection Law allows the international transfer of personal data only under certain conditions (Arts. 33-36). The main conditions for such a transfer are that the recipient jurisdiction has an adequate level of data protection; the controller adduces adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given their consent explicitly; or the transfer is necessary for the performance of a contract between the data subject and the controller. Art. 11 provides stricter conditions for processing sensitive personal data, and it is reported that, in practice, these conditions forced many organisations to store privacy-sensitive data in Brazil. The law applies extraterritorially to all companies that target Brazilian consumers, even when the company is not established in the Brazilian market.
Coverage Horizontal
Sources
- https://web.archive.org/web/20231224214733/http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
- https://platform.dataguidance.com/sites/default/files/lgpd_translation.pdf
- https://www.dataguidance.com/jurisdiction/brazil
- https://web.archive.org/web/20230327171333/https://idc-a.org/news/industry/Brazils-data-localization-law-spurs-investment-growth-in-data-centers/5b0eadb4-cfb8-49b7-b3a3-be6b49c82e8b
- Show more...
BRAZIL
Signed in November 2018, entry into force January 2022
Pillar Cross-border data policies |
Sub-pillar Participation in trade agreements committing to open cross-border data flows
Chile-Brazil Bilateral Trade Agreement (Brazil Chile FTA)
Brazil has joined an agreement with binding commitments to open data transfers across borders: the Chile-Brazil Bilateral Trade Agreement (Art. 10.12).
Coverage Horizontal
BRAZIL
Since August 2018, entry into force in September 2020
Pillar Domestic data policies |
Sub-pillar Framework for data protection
Law No. 13,709 of 14 August 2018 - General Personal Data Protection Law (Lei No. 13.709, de 14 de agosto de 2018 - Lei Geral de Proteção de Dados Pessoais)
The Personal Data Protection Law provides a framework for comprehensive data protection in Brazil. It applies to the treatment of personal data, including through digital means, by natural or juridical persons of a public or private nature. The law applies regardless of the country of origin of the person and the country where data is located provided that: data treatment is made in the national territory; or data treatment activities aims at the supply of goods or services or data treatment of individuals located in the national territory; or data has been collected in the national territory.
Coverage Horizontal
BRAZIL
Since April 2014
Pillar Domestic data policies |
Sub-pillar Minimum period for data retention
Law No. 12,965 of 2014 - Civil Rights Framework for the Internet (Lei No. 12.965 de 2014 - Marco Civil da Internet)
Art. 13 of the Civil Rights Framework for the Internet states that connection logs of Internet service providers (ISPs) should be retained for a minimum period of one year. The police, administrative authorities, or the Public Prosecutor's Office may request in a precautionary manner that the connection logs be kept for a longer period. Authorities have a period of 60 days, counting from the time of the request, to obtain a court order to access the information.
Coverage Internet service providers (ISPs)
BRAZIL
Since April 2014
Pillar Domestic data policies |
Sub-pillar Minimum period for data retention
Law No. 12,965 of 2014 - Civil Rights Framework for the Internet (Lei No. 12.965 de 2014 - Marco Civil da Internet)
According to Art. 15 of the Civil Rights Framework for the Internet, internet application providers that are constituted as a legal entity and that carry out this activity in an organised manner professionally and with economic purposes must retain the respective records of access to the Internet applications for a period of six months. Internet applications are defined in Art. 5 (VII) as a set of functionalities that can be accessed through a terminal connected to the Internet.
Coverage Internet application providers
BRAZIL
Since August 2013
Pillar Domestic data policies |
Sub-pillar Minimum period for data retention
Criminal Organisation Law (Lei No. 12.850)
According to Art. 17 of Criminal Organisation Law, concessionaires of fixed or mobile telephony must keep, for a period of five years, at the disposal of the Police Chief or the Public Prosecutor, records of identification of the terminal numbers of origin and destination of international, long distance and local phone calls.
Coverage Telecommunication sector
BRAZIL
Since 2021
Since August 2018, entry into force in September 2020
Since August 2018, entry into force in September 2020
Pillar Domestic data policies |
Sub-pillar Requirement to perform an impact assessment (DPIA) or have a data protection officer (DPO)
National Agency for Data Protection - Guidelines for the Appointment of Data Treatment Agents and Data Protection Officers, 2021 (Agência Nacional de Proteção de Dados - Diretrizes para a Nomeação de Agentes de Tratamento de Dados e Encarregados de Proteção de Dados, 2021)
Law No. 13,709 of 14 August 2018 - General Personal Data Protection Law (Lei No. 13.709, de 14 de agosto de 2018 - Lei Geral de Proteção de Dados Pessoais)
Law No. 13,709 of 14 August 2018 - General Personal Data Protection Law (Lei No. 13.709, de 14 de agosto de 2018 - Lei Geral de Proteção de Dados Pessoais)
The Guidelines for the Appointment of Data Treatment Agents and Data Protection Officers clarify Art. 41 of the Data Protection Law, setting out that all institutions, either public or private, have an obligation to appoint a Data Protection Officer ("encarregado") (DPO). A previous reading of the Art. 23 of Law led to the conclusion that only public institutions would be obliged to appoint a DPO. However, the guidelines state that the Data Protection Law does not determine the circumstances in which an organisation should appoint a DPO. Therefore, as a general rule, one must assume that all organisations must appoint a DPO. However, §3 of Art. 41 states that future regulations of the National Authority may determine the hypothesis for the dispensation of the need to appoint a DPO, taking into account the nature, size, and volume of data treatment operations
Coverage Horizontal
BRAZIL
Since July 1997, last amended in June 2021
Since April 2015
Since October 2017
Since April 2015
Since October 2017
Pillar Telecom infrastructure & competition |
Sub-pillar Passive infrastructure sharing obligation
General Telecommunications Law No. 9,472/1997 (Lei Geral das Telecomunicações No. 9.472/1997)
Law No. 13,116/2015 (Lei No. 13.116/2015)
Regulation for Sharing Support Infrastructure to the Provision of Telecommunications Services (Regulamento de Compartilhamento de Infraestrutura de Suporte à Prestação de Serviço de Telecomunicações)
Law No. 13,116/2015 (Lei No. 13.116/2015)
Regulation for Sharing Support Infrastructure to the Provision of Telecommunications Services (Regulamento de Compartilhamento de Infraestrutura de Suporte à Prestação de Serviço de Telecomunicações)
Brazil has established an obligation for passive infrastructure sharing to deliver telecom services to end users. In addition, passive infrastructure sharing is practised in the mobile sector and in the fixed sector. According to Art. 73 of Law No. 9,472/1997, telecom service providers of collective interest have the right to use posts, ducts, conduits, and easements owned or controlled by a provider of telecom services or other services of public interest in a non-discriminatory manner and at fair and reasonable prices and conditions. On the other hand, Law No. 13,116/2015 establishes general rules for the implementation and sharing of telecommunications infrastructure. Additionally, Resolution No. 683/2017 of the "Agência Nacional de Telecomunicações" (Anatel, National Telecommunications Agency) approved the Regulation for Sharing Support Infrastructure to the Provision of Telecommunications Services, which aims to discipline the sharing of infrastructure.
Coverage Telecommunications sector
Sources
- https://web.archive.org/web/20231111150045/http://www.planalto.gov.br/ccivil_03/leis/l9472.htm
- https://web.archive.org/web/20231204160552/http://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2015/Lei/L13116.htm
- https://web.archive.org/web/20220812160321/https://informacoes.anatel.gov.br/legislacao/resolucoes/2017/949-resolucao-683
- https://web.archive.org/web/20221208163709/https://www.oecd-ilibrary.org/sites/1343f784-en/index.html?itemId=/content/component/1343f784-en
- https://www.azevedosette.com.br/news/en/telecoms-infrastructure-iii-network-sharing-neutral-network/5986
- https://datahub.itu.int/data/?i=100014
- Show more...
BRAZIL
Reported in 2022
Pillar Telecom infrastructure & competition |
Sub-pillar Presence of shares owned by the government in telecom companies
Presence of shares owned by the government in the telecom sector
Telecomunicações Brasileiras SA (Telebras), the former incumbent, is a state-owned company created by Law No. 5,792 of July 1972. As established by Decree No. 7.175 of 2010, its task is to implement public policies related to the universalisation of telecommunications access in Brazil. As of December 2022, it was reported that the government-owned approximately 97% of the company's shares. Of these, 93% were held by the Federal Government, while 4% were held by Financiadora de Estudos e Projetos (FINEP). FINEP, a Brazilian federal organisation under the Ministry of Science and Technology, is responsible for financing scientific and technological advancements in the country.
Coverage Telecommunications sector
Sources
- https://web.archive.org/web/20221006011450/http://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2018/Decreto/D9612.htm#art14
- https://web.archive.org/web/20230322072056/http://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2018/Decreto/D9612.htm
- https://www.telebras.com.br/wp-content/uploads/2023/03/124320_011258_17032023180318.pdf
- Show more...
BRAZIL
N/A
Pillar Telecom infrastructure & competition |
Sub-pillar Functional/accounting separation for operators with significant market power
Requirement of accounting and functional separation for dominant network operators
It is reported that Brazil mandates functional and accounting separation for operators with significant market power (SMP) in the telecom market.
Coverage Telecommunications sector
BRAZIL
Since July 1997, last amended in June 2021
Pillar Telecom infrastructure & competition |
Sub-pillar Other restrictions to operate in the telecom market
General Telecommunications Law No. 9,472/1997 (Lei Geral das Telecomunicações No. 9.472/1997)
According to Art. 86 of the General Telecommunications Law, a telecommunication service license can only be granted to companies organised and existing under Brazilian law and which have their principal place of business and administration in Brazil. Furthermore, Art. 87 determines that any company or holding company granted a concession that already renders, in the same geographical area, the same type of service subject to a bidding procedure will be obliged to transfer the service previously rendered to a third party within 18 months from the execution date of the concession agreement. Failure to observe this provision can result in forfeiture of the license, as well as other sanctions set out in the grant procedure.
Coverage Telecommunications sector
BRAZIL
Reported in 2022, last reported in 2023
Pillar Telecom infrastructure & competition |
Sub-pillar Other restrictions to operate in the telecom market
Discrimination of foreign satellite operators
It has been reported that although Brazil permits Brazilian-owned entities to acquire the exclusive right to operate a satellite and its associated frequencies from specific positions, foreign-licensed satellite operators may obtain only a non-exclusive right (a landing right) to provide service in Brazilian territory. The National Telecommunications Agency (ANATEL) grants these landing rights for a fixed term of no longer than 15 years, after which the operator must reacquire the landing rights in order to continue providing services. Foreign operators are also required to pay higher annual landing fees than Brazilian firms.
Coverage Satellite operators
BRAZIL
N/A
Pillar Telecom infrastructure & competition |
Sub-pillar Signature of the WTO Telecom Reference Paper
Lack of appendment of WTO Telecom Reference Paper to schedule of commitments
Brazil has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.
Coverage Telecommunications sector